Legal Updates

The Cayman Islands Monetary Authority (“CIMA”) has issued rules on internal controls (the “Rules”) applicable to all regulated entities[1] (each an “Entity”) which set out five components of internal control to be addressed by each Entity and which will take effect from 14 October 2023. The Rules are intended to ensure that the Entity has the ability to carry on its business, that its clients’ assets are safeguarded, that its records are properly maintained and its financial, operational and regulatory reports are reliable and that it complies with all applicable law and regulation.

The application of the Rules is subject to a proportionality test based on the entity’s size, complexity, structure, the nature of its business and its risk profile. The Rules apply across a wide range of regulated Entities and their implementation is likely to vary considerably between each class of Entity as well as between Entities within each such class as a result of the proportionality test. Investment funds which commonly outsource the majority of their operations will want to implement the Rules in a manner that accommodates the existing compliance policies of their service providers. Banks and other more substantial local Cayman businesses will want to implement the Rules as part of their own internal policies updating their existing compliance framework once the Rules are in effect.

It should be noted that in the context of investment funds the Rules will apply to Cayman master funds in a master feeder structure and where a Delaware LLC acts as general partner of such a fund it will need to ensure that it complies with the Rules. It may be beneficial for such a general partner to use a Cayman based service provider to supply or augment their governing body to take advantage of their familiarity with the Cayman corporate governance regime.

Many of the requirements of the Rules repeat those set out in CIMA’s rule on corporate governance (which is the subject of a separate briefing) and this briefing seeks to highlight those areas which are not subject to such repetition. The components of internal control set out in the Rule are summarised below.

Control Environment

The governing body of an Entity should:

• approve and review overall strategies and significant policies of the Entity;
• understand the material risks faced by the Entity, set acceptable levels for such risks and ensure that steps are taken to identify, measure, monitor and control those risks;
• consist of some members who are independent from the daily management of the Entity;
• periodically discuss with its management the effectiveness of its control systems;
• review evaluations of internal controls conducted by management or internal or external auditors;
• ensure that management has followed up on recommendations and concerns expressed by auditors or CIMA on internal control weaknesses; and
• document its organisational structure including functions, reporting lines, responsibility and authority and keep it current communicating any changes to staff.

The senior management of an Entity should:

• develop processes that identify, measure, monitor and control risks incurred by the Entity;
• monitor the effectiveness of the internal control system;
• ensure that there are no gaps in reporting lines and that effective management control is extended to all levels of the Entity and its activities;
• maintain sufficient knowledge, skill and experience; and
• implement a program to evaluate the effectiveness of the any internal control systems adopted by service providers.

All staff of the Entity should regularly update their training and skills to ensure compliance with internal control policies and all applicable law and regulation.

An Entity should demonstrate a commitment to integrity and ethical values, including:

• effective oversight, accountability and performance evaluations of staff;
• establishing effective policies, security controls, and assessing responsiveness of staff to monitoring activities and information requests;
• demonstrating the importance of internal controls and displaying ethical values in dealings with staff and service providers; and
• avoiding practices that may incentivise inappropriate activities such as undue emphasis on performance by reference only to short-term goals, ineffective segregation of duties or controls and insignificant or overly onerous penalties.

An Entity should hold persons with assigned responsibility for internal controls accountable ensuring that:

• all staff communicate to management any problems in operations, non-compliance with the code of conduct or policies or any illegal actions; and
• all operational procedures are documented and made available to all staff.

Risk Identification and Assessment

Entities must identify and assess the material risks related to their objectives involving:

• identifying, measuring and analysing material risks including those relating to the complexity of the Entity’s structure, its activities, the quality of staff, organisational changes and staff turnover, fluctuation economic conditions, changes in the industry and applicable technology;
• determining how those risks will be managed;
• considering the impact of possible internal and external changes that may render the control system ineffective;
• considering grouping objectives into those relating to operations, reporting and compliance;
• reviewing and revising internal controls to address new or previously uncontrolled risks, considering how various scenarios might affect cash flows, transactions and customer experiences;
• addressing measurable and non-measurable risks and weighing the costs of controls against the benefits they provide; and
• the evaluation of whether risks are controllable or non-controllable, assessing whether controllable risks are acceptable and the extent to which they should be mitigated and assessing whether non-controllable risks should accepted or whether the relevant business activity should be reduced or terminated.

Control Activities and Segregation of Duties

Control Activities

Entities must develop control activities, including over technology, through policies and procedures to mitigate the material risks related to their objectives. The policies and procedures should be monitored and updated where found to be inadequate. Senior management should ensure that control activities are an integral part of the daily functions of all relevant staff.

The control activities should include:

• establishing a control structure with control activities defined at every business level;
• top level reviews by the governing body or senior management through presentations and performance reports from lower levels of management facilitating the identification of problems, control weaknesses, financial errors or fraud;
• activity controls for different departments and divisions through more regular and more detailed reports;
• physical controls restricting access to tangible assets, dual custody and reconciliations;
• monitoring compliance with risk exposure limits including borrowing or counterparty limits and following up on non-compliance;
• a system of approvals and authorisations for transactions over certain limits;
• a system of verifications and reconciliations of transaction details, risk management models and cash flows; and
• a system of supervisory controls to assess compliance with the above.

Segregation of Duties

Entities must ensure that there is adequate segregation of duties subject to the proportionality test and where such segregation is not reasonably practical they must implement alternative control activities. Duties of staff should be segregated to reduce the risk of errors, inappropriate or fraudulent actions, manipulation of financial data for personal gain or to conceal losses and misappropriation of assets. Segregation might involve dividing responsibility for approving transactions, recording transactions and handling the related assets. Alternative control activities might include rotation of duties, increased management oversight and/or outsourcing. Segregation of duties should be periodically reviewed to identify conflicts of interest and ensure that independent checks are in place.

Information and Communication

Entities must use reliable financial, operational, compliance and external market information to support their internal controls. Where applicable Entities should manage information in line with their established record retention policies. In particular:

• information systems must be secure, monitored independently and supported by adequate contingency arrangements;
• electronic information should have an adequate audit trail to avoid use of unreliable or misleading information;
• controls should be maintained over computer systems to ensure continued proper operation including backup and recovery procedures, software development and acquisition policies and procedures relating to maintenance and physical/logical access to security controls;
• consideration of business resumption and contingency plans using an off-site facility including system recovery via an external service provider;
• contingency planning for business management in addition to computer operations; and
• periodic testing of contingency plans.

Entities must have effective internal communications to ensure that:

• all staff understand the Entities objective, strategies and expectations and that they understand and adhere to policies and receive relevant information regarding operational performance;
• senior management are aware of business risks and operating performance; and
• relevant information is shared between business lines.

Monitoring Activities and Correcting Deficiencies

Entities must implement processes for monitoring internal controls involving:

• senior management making it clear which personnel are responsible for which monitoring functions within the business, financial and audit departments;
• daily monitoring and separate periodic evaluations at frequencies determined by reference to associated risks and the frequency of changes in the operating environment;
• the integration of controls and the production of regular reports including journal entries and exception reports;
• periodic evaluations of the effectiveness of monitoring which might take the form of self-assessments reviewed by senior management.

Internal Audit

Entities should ensure that an audit of the control system is carried out by operationally independent and competent staff and that they report to the governing body or its audit committee ensuring that their recommendations are acted upon. The audit should provide an independent assessment of the adequacy of and compliance with established policies. The audit team should be independent of the day-to-day functioning of the Entity and have access to all activities of the Entity.

Internal Control Deficiencies

Entities must ensure deficiencies identified by the business, its internal audit and/or control personnel are reported for correction with all significant deficiencies being reported to the governing body and senior management involving:

• senior management correcting deficiencies on a timely basis;
• senior management establishing a system to track rectification;
• the internal audit function conducting monitoring and immediately informing senior management of any uncorrected deficiencies;
• adequate procedures or receiving, recording, investigating, monitoring and resolving customer complaints;
• ensuring that customer complaints are resolved fairly, consistently and timely and that action is taken to remediate deficiencies highlighted by complaints;
• senior management should periodically receive reports on key control issues identified and on complaints received including information on the nature of the issues, volume, frequency, how issues were addressed and disciplinary action taken with any trends being identified and addressed.

Trust Companies, Company Managers and Corporate Services Providers

Specific rules have been issued by CIMA in respect of the above as follow:

• client assets must be segregated;
• client money must be held in clearly segregated and distinct accounts;
• written disclosure must be made to clients of the terms on which their money is held;
• client money accounts must be reconciled promptly;
• authorisation by dual signatories should be required for client money payments, subject to client agreed terms; and
• policies should be implemented to prevent inappropriate use of client money.

Securities Investment Business Service Providers

Specific rules have been issued by CIMA in respect of the above as follows:

• policies should be implemented to minimise potential for conflicts of interest between the Entity, its personnel and clients;
• where conflicts of interests cannot reasonably be avoided clients must be informed of the nature and possible ramifications of such conflicts and must be treated fairly;
• where discretionary authority is exercised over a client’s account the precise terms on which that authority can be exercised must be communicated to the client and only transactions consistent with the client’s investment strategy and objective should be effected;
• policies should be implemented in relation to dealing involving review processes to prevent and detect errors, omissions, fraud and other improper or unauthorised activity and ensuring fair and timely allocation of trades; and
• client funds and property should be segregated.

Footnotes:

[1] Entities regulated under the Banks and Trust Companies Act (Revised) the Building Societies Act (Revised), the Companies Management Act (Revised), the Co-operative Societies Act (Revised), the Development Bank Act (Revised), the Insurance Act (2010), the Money Services Act (Revised), the Mutual Funds Act (Revised, the Directors Registration and Licensing Act (Revised), the Private Funds Act (Revised), the Securities Investment Business Act (Revised) or the Virtual Asset Service Providers Act (Revised).